-
-
Notifications
You must be signed in to change notification settings - Fork 745
HelpAddonsAscanrulesBetaAscanbeta
The following beta quality active scan rules are included in this add-on:
Scans for commonly-named backup copies of files on the web server, which may reveal sensitive information.
Checks if the web server is configured to allow Cross Domain access, from a malicious third party service, for instance. Currently checks for wildcards in Adobe's crossdomain.xml, and in SilverLight's clientaccesspolicy.xml.
Scans for the existence of Anti-CSRF tokens.
Alerts on requests which do not appear to contain Anti-CSRF tokens.
At HIGH alert threshold only scans messages which are in scope.
Post 2.5.0 you can specify a comma separated list of identifiers in the rules.csrf.ignorelist parameter via the Options 'Rule configuration' panel. Any FORMs with a name or ID that matches one of these identifiers will be ignored when scanning for missing Anti-CSRF tokens. Only use this feature to ignore FORMs that you know are safe, for example search forms.
Checks if the web application is subject to Expression Language (EL) injection attacks, which occur when an application fails to sufficiently neutralize special elements that could modify the intended EL statement before it is executed.
Detects if the web server is vulnerable to the Heartbleed OpenSSL Vulnerability, by exploiting it. For further details refer to CVE-2014-0160.
Supplying duplicate or numerous HTTP parameters with the same name may cause an application or website to interpret values in unintended ways. By leveraging these effects, a malicious individual may be able to bypass input validation, trigger errors or modify internal variable values. There are difference in treatment of duplicate parameters impacting both clients (browsers) and servers.
Detects (and exploits, depending on the scan settings) known insecure HTTP methods enabled for the URL.
Looks for indicators of integer overflows in compiled code that causes the web server to crash. It does this by putting out multiple strings of integers designed to try and stimulate bad responses.
This scanner attempts to manipulate the padding of encrypted strings to trigger an error response indicating a likely padding oracle vulnerability. Such a vulnerability can affect any application or framework that uses encryption improperly, such as some versions of ASP.net, Java Server Faces, and Mono.
Detect CVE-2012-1823 to perform Remote Code Execution on a PHP-CGI based web server.
Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited.
This scanner perform 2 attacks to detect servers vulnerable to CVE-2014-6271 aka ShellShock. The first is a simple reflected attack and the second is a time based attack.
Post 2.5.0 you can change the length of time used for the attack by changing the rules.common.sleep parameter via the Options 'Rule configuration' panel.
Exploit CVE-2012-1823 to disclose server-side PHP source code on a PHP-CGI based web server. Only analyzes responses that are text based (HTML, JS, JSON, XML, etc), in order to avoid false positives which may occur with image or other binary content.
Uses Subversion source code repository metadata to scan for files containing source code on the web server.
Exploit the presence of an unprotected /WEB-INF folder to download and decompile Java classes, to disclose Java source code.
This scanner uses Hypersonic-specific SQL syntax to attempt to induce time delays in the SQL statement called by the page. If the unmodified query is not affected by a time delay, and the modified query's delay can be controlled, it is indicative of a time-based SQL Injection vulnerability in a Hypersonic SQL database. This scanner is time sensitive, and should only be used in an attempt to find stubborn and un-obvious SQL injection vulnerabilities in a suspected Hypersonic database. For this reason, the number of active scan threads should be set to the minimum when using this scanner, to minimise load on the web server, application server, and database, in order to avoid false positives caused by load delays rather than by SQL injection delays. The scanner tests only for time-based SQL injection vulnerabilities.
Post 2.5.0 you can change the length of time used for the attack by changing the rules.common.sleep parameter via the Options 'Rule configuration' panel.
This scanner uses MySQL-specific SQL syntax to attempt to induce time delays in the SQL statement called by the page. If the unmodified query is not affected by a time delay, and the modified query's delay can be controlled, it is indicative of a time-based SQL Injection vulnerability in a MySQL database. This scanner is time sensitive, and should only be used in an attempt to find stubborn and un-obvious SQL injection vulnerabilities in a suspected MySQL database. For this reason, the number of active scan threads should be set to the minimum when using this scanner, to minimise load on the web server, application server, and database, in order to avoid false positives caused by load delays rather than by SQL injection delays. The scanner tests only for time-based SQL injection vulnerabilities.
Post 2.5.0 you can change the length of time used for the attack by changing the rules.common.sleep parameter via the Options 'Rule configuration' panel.
This scanner uses Oracle-specific SQL syntax to attempt to induce time delays in the SQL statement called by the page. If the unmodified query is not affected by a time delay, and the modified query's delay can be controlled, it is indicative of a time-based SQL Injection vulnerability in a Oracle SQL database. This scanner is time sensitive, and should only be used in an attempt to find stubborn and un-obvious SQL injection vulnerabilities in a suspected Oracle database. For this reason, the number of active scan threads should be set to the minimum when using this scanner, to minimise load on the web server, application server, and database, in order to avoid false positives caused by load delays rather than by SQL injection delays. The scanner tests only for time-based SQL injection vulnerabilities.
Note that this rule does not currently allow you to change the length of time used for the timing attacks due to the way the delay is caused.
This scanner uses PostgreSQL-specific SQL syntax to attempt to induce time delays in the SQL statement called by the page. If the unmodified query is not affected by a time delay, and the modified query's delay can be controlled, it is indicative of a time-based SQL Injection vulnerability in a PostgreSQL database. This scanner is time sensitive, and should only be used in an attempt to find stubborn and un-obvious SQL injection vulnerabilities in a suspected PostgreSQL database. For this reason, the number of active scan threads should be set to the minimum when using this scanner, to minimise load on the web server, application server, and database, in order to avoid false positives caused by load delays rather than by SQL injection delays. The scanner tests only for time-based SQL injection vulnerabilities.
Post 2.5.0 you can change the length of time used for the attack by changing the rules.common.sleep parameter via the Options 'Rule configuration' panel.
It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. This scanner is skipped if there are no contexts defined that use Form-based Authentication, and only runs against the URL identified as the login URL of a context.
As described by OWASP: "XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file) or authorization." This scanner attempts to identify such weaknesses.
This component attempts to identify applications which are subject to XML eXternal Entity (XXE) attacks. Applications which parse XML input may be subject to XXE when weakly or poorly configured parsers handle XML input containing reference to an external entity such as a local file, HTTP requests to internal or tertiary systems, etc.
It requires the Callback extension, so will not work if this extension is disabled or removed. It is also recommended that you test that the Callback extension is correctly configured for your target site. If the target system cannot connect to the Callback Address then some XXE vulnerabilities will not be detected.